Want to Really Get Scared? Look at Your Company’s Cybersecurity

3 min read

• Information Technology
• Information Governance

For the typical CIO, every month is cybersecurity month. But in October—perhaps because people are spooked by Halloween—the rest of the U.S. gets into the act.

The Federal Communications Commission, along with the U.S. Department of Homeland Security, the Multi-State Information and Analysis Center, and the National Cyber Security Alliance (NCSAM), has celebrated National Cyber Security Month for the past 11 years. Its goal is to raise awareness about cyber security among consumers, businesses, and educational institutions and get everyone to recognize that “the Internet is a shared resource that requires all consumers to assume personal responsibility for securing their personal devices.”

State governments in particular are focused on the effort. It was launched at the National Association of State Chief Information Officers (NASCIO) conference in Nashville, Tenn. In addition, individual states, such as South Dakota, Washington, and Pennsylvania, are also putting forth their own cybersecurity efforts this month.

Unfortunately, there has been a steady scroll of reminders recently about the importance of cybersecurity—everything from credit card breaches at Target and Home Depot to security flaws in computers and smartphones. The FBI cited several incidents this year alone where it worked with other organizations to catch and prosecute hackers who were stealing information from U.S. corporations.

According to a number of surveys, cybersecurity is more of an issue than ever, writes Politico:

• A PwC survey found nearly 43 million cyber incidents this year, up 48 percent from last year. These include theft of data, theft of money, sabotage against websites, and spread of malware. The average annual estimated loss due to these incidents was $2.7 million in this year’s edition of The Global State of Information Security Survey, up 34 percent from 2013.
• Trend Micro’s analysis of more than 570 million tweets showed that more than 33 million—5.8 percent—had links to malicious content of some kind, including malware, spammed advertisements, and phishing pages, according to the security company’s white paper, An In-Depth Analysis of Abuse on Twitter. 
• Identity theft and “personal cybersecurity” top the list of Americans’ greatest security concerns, worrying 70 percent and 61 percent of Americans respectively, according to an online survey of 2,000 Americans conducted by Harris Poll for the University of Phoenix College of Criminal Justice and Security.
• Seventy-one percent of working Americans who have their own mobile devices are able to connect them to their employers’ network, but most don’t employ proper security precautions when they do, according to a survey of 1,045 American adults conducted for the security firm Bitdefender.

Consequently, the demand for cybersecurity professionals is growing 3.5 times faster than the overall IT job market, and 12 times faster than the total labor market, according to a recent survey by Raytheon and NCSA.

Many of the security recommendations from various government and industry sources in honor of NCSAM are intended for consumers, but a number of them are applicable to business professionals as well:

• Set a lock screen on your device. ”Make sure it locks itself after one to two minutes. Also avoid saving passwords for sensitive sites on your mobile device—manually log into each app/site each time you need to access it,” says Raechelle Clemmons, vice president and chief information officer at St. Norbert College. 
• Remove any common ‘known’ networks from your mobile devices when attending a conference. “Hackers will attempt to use common saved network names to attempt to get your phone to connect to their rogue access point. Use your own phone charger when connecting to mobile device charge stations. Attaching your mobile device to an unknown USB cord could give unauthorized access to the data on your device. Be wary of vendor giveaways. Be especially careful with items such as free USB storage devices, as they could carry malware,” advises The International Information Systems Security Certification Consortium (ISC^2).
• Tighten account security. “You should also use dual factor authentication on all of your accounts when available,” writes security expert Steve Weismann in USA Today. In addition, “You also should change the answer to your security question to something completely nonsensical,” he writes. “Unfortunately the answers to common security questions, such as your mother's maiden name can be found with a little effort by an identity thief in the many places on the Internet that store personal information. So instead of the answer to your mother's maiden name being "Jones," change it to something nonsensical like ‘Grapefruit.’”

There are events scheduled all month, so keep an eye on the NCSAM web page to see what’s coming up that’s relevant for your company. NCSAM also has its own Twitter feed (#NCSAM). In addition, DHS created a page specifically for businesses to help them improve computer security.

Ultimately, security experts say, the misconception is that cybersecurity is merely an issue of protecting hardware and software that can be solved by throwing enough money at the problem. “Somehow all your cyber fears can be solved by handing over the problem to a ‘man on cyber horseback’ who will ride in to save you … if only you give them sufficient budget and authorities,” says scholar and strategist Peter Singer in Politico. “The reality is that it is a people problem and the solution lies in understanding the strategy of your potential adversaries and adapting a security architecture and policies that not only address technical vulnerabilities, but also human vulnerabilities,” agrees former DHS Secretary Michael Chertoff.